Sensitive Data Classification

ABSTRACT

A gateway device includes a network interface connected to data sources, and computer instructions, that when executed cause a processor to access data portions from the data sources. The processor accesses classification rules, which are configured to classify a data portion of the plurality of data portions as sensitive data in response to the data portion satisfying the rule. Each rule is associated with a significance factor representative of an accuracy of the classification rule. The processor applies each of the set of classification rules to a data portion to obtain an output of whether the data is sensitive data. The output are weighed by significance factors to produce a set of weighted outputs. The processor determines if the data portion is sensitive data by aggregating the set of weighted outputs, and presents the determination in a user interface. Security operations may also be performed on the data portion.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. application Ser. No.17/019,201, filed Sep. 12, 2020, now patent Ser. No. ______, whichapplication is a continuation of U.S. application Ser. No. 15/892,802,filed Feb. 9, 2018, now U.S. Pat. No. 10,810,317, which applicationclaims the benefit of U.S. Provisional Application No. 62/458,143, filedFeb. 13, 2017, all of which are incorporated by reference in theirentirety.

BACKGROUND 1. Field of Art

The disclosure generally relates to the field of data protection, andmore particularly to a method of automatically classifying informationinto different levels of sensitive data and automatically performingactions based on the level of sensitivity and reporting actions to auser in a user interface.

2. Description of the Related Art

With the increasing reliance upon online, paperless transactions,sensitive information of users, such as social security numbers,addresses, payment information, and so on, is more and more commonlystored in online databases, and in more locations than before. Thiscreates a wider attack surface for malicious entities to attempt to gainaccess to such sensitive information. Furthermore, as this sensitiveinformation is propagated to more and more online repositories, itbecomes difficult for an admin to keep track of where such data is beingstored in a system. Due to human error or the complexity of a system,sensitive information may be stored in unexpected locations. Forexample, a user may have inadvertently kept a backup of customer data ina local storage location on a client machine. With the increased focuson data security, many new standards are being created by government andenforced against organizations. Current systems typically require a userto manually comb through the various data sources within an organizationin order to determine which portions of these data sources includesensitive information. Furthermore, the user needs to manually determinehow to act upon such data if it becomes necessary to modify it in orderto increase the protection afforded to the data. This is a tediousprocedure that can easily result in oversights and may itself createmore problems as the user may have to transfer sensitive data acrossdata sources when securing the data. Furthermore, this tedious procedureof manually discovering sensitive data in electronic systems cannotscale and compete with the pace of data growth and distribution. Thus,what is lacking is a system that can automatically parse through thedata sources in an organization, intelligently determine which portionsof the data sources contain sensitive data, and perform correctiveaction on such portions of data such that they adhere with prescribedsecurity protocols.

BRIEF DESCRIPTION OF DRAWINGS

The disclosed embodiments have other advantages and features which willbe more readily apparent from the detailed description, the appendedclaims, and the accompanying figures (or drawings). A brief introductionof the figures is below.

Figure (FIG. 1 illustrates a system for automatically scanning forsensitive data from multiple data sources, according to one embodiment.

FIG. 2 is a diagram illustrating exemplary components of the dataclassifier 108 of FIG. 1 , according to one embodiment.

FIG. 3 is a diagram illustrating exemplary components of the classifierrefinement engine 110 of FIG. 1 , according to one embodiment.

FIG. 4 is a flowchart illustrating a method of determining whether adata portion in a data source is sensitive data, according to anembodiment.

FIG. 5 illustrates an exemplary UI of a primary reporting pageindicating where sensitive data is in an organization's data sources,according to an embodiment.

FIG. 6 illustrates an exemplary UI of a primary reporting pageindicating where sensitive data is in an organization's data sourceslisted by subsystem, according to an embodiment.

FIG. 7 illustrates an exemplary UI of an alternative reporting pageindicating where sensitive data is in an organization's data sources,according to an embodiment.

FIG. 8 illustrates an exemplary UI of a sensitive data list view,according to an embodiment.

FIG. 9 illustrates an exemplary UI of a drill down view of the sensitivedata list view of FIG. 8 , according to an embodiment.

FIG. 10 illustrates an exemplary UI of a different drill down view ofthe sensitive data list view of FIG. 8 with different classifiercomponents, according to an embodiment.

FIG. 11 illustrates an exemplary UI of a further drill down view of thesensitive data list view of FIG. 8 with entries that have low confidencevalues, according to an embodiment.

FIG. 12 illustrates an exemplary UI of a different section of thesensitive data list view of FIG. 8 with contextual data, according to anembodiment.

FIG. 13 is a block diagram illustrating components of an example machineable to read instructions from a machine-readable medium and executethem in one or more processors (or controllers), according to anembodiment.

DETAILED DESCRIPTION

The figures and the following description relate to preferredembodiments by way of illustration only. It should be noted that fromthe following discussion, alternative embodiments of the structures andmethods disclosed herein will be readily recognized as viablealternatives that may be employed without departing from the principlesof what is claimed.

Reference will now be made in detail to several embodiments, examples ofwhich are illustrated in the accompanying figures. It is noted thatwherever practicable similar or like reference numbers may be used inthe figures and may indicate similar or like functionality. The figuresdepict embodiments of the disclosed system (or method) for purposes ofillustration only. One skilled in the art will readily recognize fromthe following description that alternative embodiments of the structuresand methods illustrated herein may be employed without departing fromthe principles described herein.

Exemplary Sensitive Data Scanner System

FIG. 1 illustrates a system for automatically scanning for sensitivedata in multiple data sources, according to one embodiment. Although aparticular arrangement of elements is shown here, in other embodimentsthe arrangement of elements differs from that shown while achieving thesame effects. The elements shown in FIG. 1 may be implemented using acombination of hardware components, such as a processor, and softwareinstructions, stored on computer readable storage medium and executed bythe hardware components, which are described with further detail inreference to FIG. 13 .

The illustrated system includes one or more input data sources 102A-Nand a sensitive data scanner 104. The sensitive data scanner 104includes a data pre-processor 106, a data protect module 112, a dataclassifier 108, a classifier refinement engine 110, and a dataclassification reporting module 114. In one embodiment, the sensitivedata scanner 104 is a gateway device that is placed within the computernetwork of an organization and configured to, for instance, interceptdata from one or more data sources, identify portions of the intercepteddata as sensitive by applying classifiers to the data portions (asdescribed below), and take one or more security options with regards tothe data portions identified as sensitive.

The input data sources 102A-N include any type of data source that mayinclude sensitive data. Sensitive data is data that may be defined asany data that is protected against unwarranted or undesired disclosureto unknown persons or the general public. This protected data may bedefined by the law of a jurisdiction under which an organizationoperates. The protected data may also or alternatively be definedaccording to the desires of a set of customers, organizational policy,and so on. As another alternative, the protected data may be any type ofdata that may be used by a malicious actor to harm an individual,whether the harm is material or emotional, such as with identity theftor blackmail.

Examples of sensitive data that may be protected under one or more ofthe above definitions include financial data of an individual (e.g., asocial security number, credit card information), personally identifyingdata (e.g., name and address), academic records, health/medical records(e.g., as protected by the Health Insurance Portability andAccountability Act of 1996), confidential information (e.g.,confidential government or corporate information), passwords, privateinformation, and so on.

The sensitive data included within the input data sources 102A-N may beof any data format. The sensitive data may be in plaintext, encrypted,audio, visual, video, binary, or any other format of data that may beread by a computer. The input data sources 102A-N may include short termstorage (e.g., random access memory), or long term storage (e.g., tapedrives).

Examples of input data sources 102A-N include relational databases, flatfiles (e.g., comma separated values files, PDF files, Excel files),structured data files (e.g., XML, JSON, AVRO), data within a customerrelationship management (CRM) software, and so on.

The data pre-processor 106 receives data from the input data sources102A-N and pre-process the data for use by the data classifier 108. Thedata pre-processor 106 may convert the data received from the input datasources 102A-N as well as combine the data received from the input datasources 102A-N. The data pre-processor 106 may convert the data receivedfrom the input data sources 102A-N to a usable format for the dataclassifier 108. In one embodiment, the data pre-processor 106 extractsfeatures from the data received from the input data sources 102A-N. Inanother embodiment, the data pre-processor 106 converts the data in theinput data sources 102A-N to a common data structure that may be parsedby the data classifier 108, along with metadata identifying its sourcein the input data sources 102A-N. This may be achieved via a variety ofdata conversion processes. This common data structure, may be, forexample, a graph structure that indicates the relationship betweenvarious data elements from the input data (via connecting edges in thegraph), and presents the input data in a single format, such as text.

The data pre-processor 106 may determine the relationship between theinput data sources 102A-N using various rules. Data from the input datasources 102A-N may have a relationship as defined by the data itself.This may be in the form of related columns in a database, data from asingle source, spatial or temporal proximity of data to other data, andso on. These relationships may be indicated by the data pre-processor106 in the common structure (e.g., by connecting nodes in a graph) whenthe data pre-processor 106 parses the input data sources 102A-N andplaces the data in the common structure. For data not matching thesingle format in the common data structure, the data pre-processor 106may convert this data into the single format, e.g., plain text. Forexample, for structured data of the input data sources 102A-N, the datapre-processor 106 may extract the data from the structured data sourcesinto the single format, and indicate their relationship as specified inthe structured data via the common data structure. As another example,for non-textual data, such as audio or visual data, the datapre-processor 106 may perform text extraction (e.g., via speechrecognition, object recognition, optical character recognition) againstthe audio or visual data to extract text from this data to be placed inthe common data structure. As another example, for binary data, the datapre-processor 106 may convert the binary data to text using variousbinary to text conversion protocols, such as converting binary values toASCII. The data pre-processor 106 may place each converted data elementof the input data sources 102A-N in its own unit in the common datastructure. Thus, for example, the data pre-processor 106 may place eachcell of a database in its own node in a graph.

The data pre-processor 106 may further combine data from different inputdata sources 102A-N together into the same common data structure. In oneembodiment, the data pre-processor 106 combines data having the samemetadata labels. This may be achieved using a matching algorithm thatmatches metadata labels having the exact same label or labels that arewithin a threshold degree of similarity (e.g., labels that match ifnon-alphanumeric characters are removed). The metadata label is thedescriptor used in the data to describe the data, e.g., column labels,XML, tags, etc. Each metadata label may describe a portion of data thatshare some common characteristic. For example, a column in a databasemay have a metadata label indicating the data in the column are creditcard numbers. The data pre-processor 106 may combine such data byindicating a relationship between them in the common data structure, orplacing them in a single unit (e.g., a single node) in the common datastructure. In addition to metadata labels, the data pre-processor 106may also perform the same action, i.e., indicate a relationship orcombine into a single unit, against data that have matching contents(e.g., two cells in a database with the same ID number). Furthermore,the data pre-processor 106 may combine data associated with a singlemetadata label into a single unit, e.g., all data under a singlestructure, in the common data structure.

The data pre-processor 106 may further randomly sample data from theinput data sources 102A-N and place this randomly sampled data into thecommon data structure instead of placing the entire set of data from theinput data sources 102A-N into the common data structure. For each ofthe subsections of the input data sources 102A-N which have separatemetadata labels, the data pre-processor 106 may randomly sample datafrom within that subsection. Each subsection may include groups of dataportions that are categorized together, such as within a single file,data instance, container, or database table. The amount of data that issampled may be set according to a configuration parameter such that thetotal amount of data sampled from the input data sources 102A-N does notexceed a set value. Alternatively, the data sample size may be apercentage of each subsection of data. As the data associated with ametadata label should be categorically similar, the data classifier 108does not need to analyze all the data associated with that metadatalabel as analyzing a sample of that data should provide information,i.e., an estimate, about the remainder. If the data is not associatedwith a metadata label, the data pre-processor 106 may randomly sample alarger portion of that data, or may include the entirety of that datawithin the common data structure.

Note that in various embodiments the data pre-processor 106 does notdetermine whether data is sensitive or not, but rather converts the datainto a standardized structure and format that can be parsed by the dataclassifier 108. Furthermore, in other embodiments the functionsperformed by the data pre-processor 106 may be performed by the dataclassifier 108 instead, or may not be performed at all, as the dataclassifier 108 may directly ingest the data from the input data sources102A-N in its original format.

The data classifier 108 determines, using computer-specific rules andalgorithms, whether a data portion in the data received from the datapre-processor 106 is sensitive data, and may also determine the level ofthe sensitive data (i.e., how sensitive the data is). A data portion mayrepresent a single unit of data in the common data structure generatedby the data pre-processor 106, or may represent a group of data sharingsimilar characteristics, or may represent the smallest element of datain the data received from the data pre-processor 106 that still hassemantic meaning. In other words, a data portion is a smallest unit ofdata that can individually convey information (or is meaningful) withoutrelying on other data. For example, a zip code may be a data portion, asit conveys information about an address. In practice, the dataclassifier 108, when searching through the data from the input datasources 102A-N for data portions, may not search specifically for thesesmallest units of data, as this type of search may require analysis ofthe actual data and thus may be resource intensive. Instead, the dataclassifier 108 may assume that a unit of data that is separated fromother data using a delimiter, such as a cell boundary in a table, aspace character, an end of file marker, an audio pause, a blank videoframe, and so on, is a data portion. Thus, a data portion may be a cellin a database, table, or other data structure, a table in a database, acolumn or row in a database, a string of characters that are notseparated by a delimiter, a file, a binary blob, a segment of audioseparated by a pause, multiple frames of video separated by a transitionframe, an element in a data structure, and so on. In general, the dataclassifier 108 may determine if the data is sensitive based on patternmatching, logical rules, contextual matching, reference table matching,and machine learning.

The data classifier 108 uses pattern matching to match patterns betweenthe data received from the data pre-processor 106 and a set ofpre-defined patterns stored by the data classifier 108. If any matchesare found either within the data itself or the corresponding metadatalabels, then the corresponding data portions are indicated as beingsensitive data. The patterns may be specified using various methods,such as regular expressions.

The data classifier 108 may also use logical rules to determine whethera data portion is sensitive data. These logical rules may indicate thata data portion is sensitive data when various conditions as specified bythe logical rules are true. The logic rules may specify variouscharacteristics of the data, such as its metadata label, size, length,contents, and so on, in order to determine whether that data issensitive data.

The data classifier 108 may further classify data to determine whetherit is sensitive using contextual matching. The data classifier 108determines the context in which a data portion appears, and based on thesurrounding context, the data classifier 108 may determine that the dataportion is sensitive. The context of a data portion includes other datathat has a relationship to the data portion. Other data that has arelationship to the data portion includes the other data that appears inthe same file or table as the data portion, other data that referencesthe data portion, and so on. If the other data for which the dataportion has a relationship to matches certain patterns or rules, thedata classifier 108 may determine that the data portion is sensitive.

The data classifier 108 may further determine that data is sensitiveusing reference table matching. The data classifier 108 may storevarious reference tables that include lists of potentially sensitivedata, such as common names of persons, common terms in addresses (e.g.,country codes, common street names), product names, medical conditions,and so on. The data classifier 108 may match data portions in the datareceived from the data pre-processor 106 with the elements in thereference tables to see if it can find a match. If a match is found, thedata classifier 108 may determine that the data portion is sensitive.

The data classifier 108 may also determine that data is sensitive usingmachine learning algorithms. The data classifier 108 trains a machinelearning model, such as a multilayer perceptron or convolutional neuralnetwork, on data known to be sensitive data. Features may first beextracted from the data using an N-gram (e.g., a bigram) model and thesefeatures input into the machine learning model for training. Aftertraining, the machine learning model will be able to determine (with aconfidence level) whether data is sensitive or not. The trained machinelearning model may be verified using a verification dataset composed ofreal world customer data, and the error rate analyzed. The machinelearning model may be further improved during live operation by userfeedback.

In one embodiment, the data classifier 108 uses a combination of theabove methods to analyze each data portion of the data received from thedata pre-processor 106. Each of the methods described above may also beassociated with a significance factor indicating a confidence level inthe determination made by that method. These may be weighted in acombined confidence value for that data portion indicating how likelythe data portion is sensitive (i.e., the confidence of the system inmaking the determination). A high confidence value indicates a highlikelihood that the data is sensitive data, while a low confidence valueindicates the opposite.

In one embodiment, the data classifier 108 further determines thesecurity level of data portions determined to be sensitive (or likely tobe sensitive and having a confidence value beyond a certain threshold).The security level indicates how well the sensitive data portion iscurrently protected by various security features. The data classifier108 may be able to detect the number and type of security feature(s)applied to the data portion. The security level may be determined to behigher based on the number of security features applied to the dataportion, as well as the strength of the security feature applied to thedata portion. In one embodiment, the data classifier 108 has receivedthe various encryption keys, tokenization mapping, de-obfuscationprotocol, and other information needed to read data for which one ormore security features have been applied.

Although certain methods of determining whether a data portion issensitive are described here, other methods may also be used by the dataclassifier 108. Additional details regarding the data classifier 108 andthe methods of determining whether data is sensitive are described infurther detail below with reference to FIG. 2 .

The classifier refinement engine 110 tunes the data classifier 108 toimprove the accuracy of the data classifier 108 (i.e., to reduce falsepositive and false negative classifications), using live data andadditional configuration inputs.

The classifier refinement engine 110 may continue to train the machinelearning module of the data classifier 108 using live data. This may beachieved by utilizing user feedback to determine whether some dataportions classified as sensitive are in fact not sensitive and are falsepositives. The classifier refinement engine 110 may improve the accuracyof the various other methods in the data classifier 108 of determiningwhether a data portion is sensitive using other forms of user feedback.New patterns may be added to the pattern matching method based on userfeedback indicating certain data patterns are sensitive. Logical rulesmay be modified by the classifier refinement engine 110 based onconfiguration information provided by a user or by an indication from auser that data portions in certain scenarios are sensitive. Referencetables may be updated using newly received reference data. Contextualmatching may also be updated based on new indications of contextualdata.

This allows the classifier refinement engine 110 to continuously refinethe performance of the data classifier 108 to improve its accuracy.Furthermore, certain organizations may have data that has a format thatis unique to the organization but which still include sensitive data.This data may not be normally detected using the other methods describedfor the data classifier 108. Instead, the classifier refinement engine110 allows the data classifier 108 to learn that this data is alsosensitive, and so the classifier refinement engine 110 allows the dataclassifier 108 to be customized for the specific types of data of eachorganization. Furthermore, the improvements made to the accuracy of thedata classifier 108 may be shared to other organizations that use thesensitive data scanner 104, thereby improving the detection accuracy ofthe sensitive data scanner 104 in these other organizations. Forexample, new logical rules may be shared among different organizations.While these improvements are shared, the actual sensitive data mayremain locally with the organization to avoid any transmission of anysensitive data outside the organization.

Additional details regarding the classifier refinement engine 110 aredescribed below with reference to FIG. 3 .

The data classification reporting module 114 reports the resultsproduced by the data classifier 108 indicating whether data portions inthe input data sources 102A-N are sensitive or not. The dataclassification reporting module 114 may present the results in a userinterface to the user. The user interface may present to the user thetypes of sensitive data that have been detected (e.g., names, socialsecurity numbers, etc.), the number of data portions with sensitive datathat have been detected, the source of these sensitive data portions,the historical trends regarding the number of sensitive data portionsthat have been detected, and so on. The user interface of the dataclassification reporting module 114 may further allow the user to drilldown into any of the above presented data to see additional details,such as the exact tables where the sensitive data portions weredetected, confidence scores of each detection, which methods were usedin determining whether the data portion is sensitive data, and so on.The data classification reporting module 114 may also present an overallsecurity posture of the organization based on the collected information.The data classification reporting module 114 may determine this overallsecurity posture according to the number of data portions collected thatare determined to be sensitive data and which fall below a particularsecurity level, compared to those data portions that exceed an indicatedsecurity level. The data classification reporting module 114 may alsopresent information, e.g., via a timeline or other UI element, regardingthe progress the organization has made towards securing sensitive datathat was previously unsecured or below a desired security level.Additional details and examples of the user interface generated by thedata classification reporting module 114 are described below withreference to FIGS. 5-12 .

The data protect module 112 may be used to apply additional securityfeatures to data portions of the input data sources 102A-N that aredetermined to be sensitive based on the detected security level of thedata portions.

The data protect module 112 may apply a number or type of securityfeatures to the data portion so that the security level of that dataportion reaches a desired level (e.g., a minimum threshold required bylaw or some other standard). Examples of security features that may beapplied are encryption (e.g., via SHA, RSA, etc.), tokenization,obfuscation, protection via different formats, access controlrestrictions, encryption of connections to access the data, modificationof network security policies, and so on. As applying security featuresto the data portion may likely cause an error in the other systems thataccess that data portion, the data protect module 112 may first presenta report to a user in a user interface indicating the suggested changesand also link to application programming interface (API) libraries orindicate additional executable code (in various supported programminglanguages) to include in the other systems so that they can continue toaccess the data with the applied security features without error.

The above components may each execute on a single computing device or bedistributed among multiple computing devices. Each computing device mayinclude the components and function similarly to the exemplary computingdevice described below with reference to FIG. 13 . The computing devicesmay be connectively coupled via a network. In one embodiment, thenetwork may also be any type of network, including but not limited to alocal area network (LAN), a metro area network (MAN), a wide areanetwork (WAN), the Internet, a mobile, wired or wireless network, acloud computing network, a private network, or a virtual privatenetwork, and any combination thereof. The network may also be aninternal network within a device, such as a local message bus or serialcommunications network. In addition, all or some of links of the networkcan be encrypted using conventional encryption technologies such as thesecure sockets layer (SSL), Secure HTTP and/or virtual private networks(VPNs). In another embodiment, the entities can use custom and/ordedicated data communications technologies instead of, or in additionto, the ones described above.

Example Data Classifier

FIG. 2 is a diagram illustrating exemplary components of the dataclassifier 108 of FIG. 1 , according to one embodiment. Although aparticular arrangement of elements is shown here, in other embodimentsthe arrangement of elements differs from that shown while achieving thesame effects. The elements shown in FIG. 2 may be implemented using acombination of hardware components, such as a processor, and softwareinstructions, stored on computer readable storage medium and executed bythe hardware components, which are described with further detail inreference to FIG. 13 .

As noted above, the data classifier 108 may utilize various methods todetermine whether data is sensitive along with a confidence value ofthat determination. An exemplary set of methods are described here,although other methods may also be used in other embodiments. Theillustrated data classifier 108 includes a metadata analyzer 202, areference data matcher 204, a pattern matcher 206, a logical classifier208, a contextual analyzer 210, a deep learning classifier 212, a datasecurity level classifier 214, a significance factor calculator 216, anda confidence value calculator 218. Although the data portions that areanalyzed by the components described herein are primarily with referenceto data portions in data received from the data pre-processor 106, inother embodiments the data portions that are analyzed include data thatis received directly from the input data sources 104. Each of thecomponents described below each use various pattern match, referencematch, rules, algorithms, and other methods to make determinations ofwhether a data portion is sensitive data. Each of these methods may beknown as a classification rule, and multiple classification rules mayapplied to each data portion to determine whether that data portion issensitive data.

The metadata analyzer 202 analyzes the metadata of a data portion in thedata received from the data of the input data sources 102A-N todetermine whether the data portion is sensitive data. The metadata mayinclude, in the case of data pre-processed by the data pre-processor106, the metadata labels in the common data structure. In the case wherea data pre-processor 106 is not used, the metadata includes the metadatalabels directly extracted from the input data sources 102A-N. Thisincludes column labels, schema names, database names, tables names, XML,tags, filenames, file headers, other tags, file metadata, and so on. Themetadata analyzer 202 may determine that a data portion is sensitivedata if it indicates one or more sensitive data types, including but notlimited to 1) names, 2) addresses (including subdivisions such asstates, cities, counties, provinces, postal codes, and so on), 3) datesof birth, 4) telephone numbers, 5) email addresses, 6) social securitynumbers, 7) TextID, Codice Fiscale, or other government identificationnumbers, 8) medical record numbers, 9) health plan beneficiary numbers,10) financial account numbers, such as an International Bank AccountNumber, 11) credit card numbers, 12) driver's license numbers, 13) IP orother network addresses, 14) biometric data, and 15) passwords andusernames.

The metadata analyzer 202 may look for any metadata that indicates oneof the above sensitive data types. The metadata may have a label thatdirectly infers the sensitive data type, or may include abbreviations oracronyms that indicate the sensitive data type. For example, a socialsecurity number sensitive data type may have a metadata of “ssn” or“soc_sec_num,” and a credit card number sensitive data type may beindicated with the metadata of “ccn” or “credit_card_num,” etc.Additional formulations of metadata labels may be used as well. Afterdetermining that a data portion is associated with metadata thatindicates a sensitive data type, the metadata analyzer 202 may indicatethat the data portion is sensitive data.

Note that the significance factor assigned to a determination that adata portion is sensitive data based on matching metadata may varydepending upon the metadata that is matched. For example, a metadatalabel of “social” may be assigned a lower significance factor than thatof “ssn.”

The reference data matcher 204 analyzes the data portions of the datareceived from the data pre-processor 106 with data within a referencedata source to determine whether the data is sensitive data. If thereference data matcher 204 finds a match between a data portion and datain the reference data source, then the reference data matcher 204 mayindicate that the data portion is sensitive data. The reference datasource may include a list, database, table, or other data structurestored by the reference data matcher 204 that include lists of data thatare likely to be sensitive data. The data in the reference data is datathat is of a sensitive data type that does not necessarily have anyshared patterns, but if matched, is highly likely to be sensitive data.For example, while social security numbers follow a distinct pattern(e.g., 3 digits, dash, 2 digits, dash, 4 digits), some sensitive datatypes, such as names of persons, do not follow any specific pattern orrule, and can be uniquely identified and are likely to be sensitive.Other examples of sensitive data types that may be stored in thereference data sources include usernames, email address domains, postalcodes, other address components (e.g., country codes, common streetnames), product names, medical conditions or terms, and so on. Thereference data matcher 204 may require an exact match between the dataportion and the data indicated in the reference data source, or only apercentage match beyond a threshold degree (e.g., matching a percentagenumber of the data in the data portion to the data in the reference datasource).

The pattern matcher 206 matches data portions received in the data fromthe data pre-processor 106 with various patterns to determine whetherthe data portions are sensitive data. Data portions that generate apositive match with a pattern may be determined by the pattern matcher206 to be sensitive data. The patterns may be in any type of format thatcan store patterns, such as regular expressions, formal grammars, rules,wildcards, image and video pattern recognition methods (in the case ofnon-text data portions), and so on. For example, a sensitive data typefor a social security number may be matched by the regular expression“[0-9]{3}-[0-9]{2}-[0-9]{4}” indicating a pattern of three numbers,followed by a dash, followed by two numbers, followed by another dash,and followed by 4 numbers. Other sensitive data types may be matchedsimilarly. For example, zip codes may be matched as sequences of 5numbers. Emails may be matched by a string of characters (thelocal-part), followed by the “@” symbol, followed by an alphanumericstring of characters (the domain) that may include a period, and thenending with a period and sequence of characters that matches a top leveldomain (e.g., “.com,” “.mail”). Telephone numbers for the United Statesmay be matched according to the standard format of the three digit areacode, a delimiter, a three digit central office code, the samedelimiter, and a four digit line number. Bank account numbers may bematched based on a standard length for account numbers and a set patternlimiting the types of account numbers and routing numbers that areavailable. Credit card numbers may be matched based on length and thefact that credit card numbers follow specific patterns (e.g., theinitial issuer identification number is fixed to a set number ofcombinations). Dates of birth, driver's license numbers, and othersensitive data types may also follow various patterns and thus be ableto be pattern matched by the pattern matcher 206.

The logical classifier 208 uses a set of stored rules to determinewhether a data portion from the data received from the datapre-processor 106 is sensitive data. The data of many of the sensitivedata types described above adhere to various constraints. Theseconstraints may adhere to various rules, for which the logicalclassifier 208 may detect. Many of the sensitive data types are datathat have values within a certain range, values that are selected from aset list of options, particular organizations, and so on. These variousconstraints may not be easily defined via a pattern that can be detectedby the pattern matcher 206. Instead, these constraints may be moreeasily defined using various rules for parsing data, of which thelogical classifier 208 can detect. The rules may fall into variouscategories. One rule may indicate that sub-portions of a data portionthat is sensitive data can only one of a select number of options.Another rule may indicate that the data portion must pass some sort ofverification test, such as Luhn check for credit card numbers, or havingan email domain be checked to see if it is a valid domain, ordetermining whether a financial account number is has a valid header, ordetermining if a phone number's area code is valid, or whether a dataportion that may be a password meets minimum password securityrequirements, and so on. Another rule may indicate that the data portionshould be within a valid range, such as a date of birth not being in thefuture. Other rules may be specified for different sensitive data types.These rules may also be provided by an organization for sensitive datatypes, including sensitive data types that may be unique to theorganization. For example, an organization may consider sensitivecertain trade secret data. This data may be identifiable using rules.The organization may specify a custom rule to detect such data.

The rules may be specified using a user interface. For rules whichrestrict the data to certain ranges or options, input fields for rangesand the number of options may be provided for a user to enter the rangesand options that are valid. For more complicated rules, options to inputcomputer instructions (e.g., source code) representing the rule may beprovided. These computer instructions may use various programminglanguages, such as Haskell, perl, and so on.

Once the rules are configured, the logical classifier 208 applies therules to the received data portions, and if the rule returns true value,i.e., an indication that the rule indicates a match for the dataportion, the logical classifier 208 may determine that the data portionis sensitive data.

The contextual analyzer 210 uses contextual data in order to determineif a data portion is sensitive data. As noted previously, the context ofa data portion is other data that has a relationship to the dataportion. This other data is received from the data pre-processor 106,and will be hereafter referred to as contextual data. This relationshipbetween the contextual data and the data portion may be due to 1)similar logical data storage location between the contextual data andthe data portion (e.g., both are within the same or similar data object,database, table, file, etc.), 2) unidirectional or bidirectionalreferences between the contextual data and the data portion (e.g., viareference pointers), 3) the contextual data and the data portionappearing in logical data locations that are associated with each other(e.g., the data portion and the contextual data may be split into twotables which are parts of a larger table), 4) the logical data locationsof the data portion and the contextual data being near in logicaldistance to each other, 5) a semantic relationship between the dataportion and the contextual data (e.g., via synonyms, glossaries,ontologies, or classification hierarchies), 6) the contextual data andthe data portion being accessed by the same application or other datareader, 7) the contextual data and the data portion being accessed bythe same user or category of user, 8) same physical storage location ofthe contextual data and data portion, and so on.

Note that the logical storage location of a data refers to the logicallocation to which the data is stored in the input data sources 102A-N.This may be a file name, database name, database schema, file name, andso on. The physical storage location, on the other hand, refers to anactual physical storage, such as hard drive, tape drive, etc., on whichthe data is stored.

As noted above, the data received from the data pre-processor 106 mayhave already combined the multiple input data sources 102A-N into asingle common data structure. In such a case, the data pre-processor 106may have already indicated the relationship between the data portion andthe contextual data via the common data structure, e.g., via edgesconnecting the data portion and the contextual data. The contextualanalyzer 210 may utilize this pre-existing relationship information inorder to identify the contextual data, and then use the contextual datato determine whether the data portion is sensitive data.

In other embodiments, the contextual analyzer 210 may separatelydetermine if the data portion has any contextual data. This may beperformed by searching the input data sources 102A-N for data that has arelationship to the data portion, such as one of the relationshipsdescribed above. The contextual analyzer 210 may combine the data thathas a relationship to the data portion, and based on the presence ofthis contextual data, the contextual analyzer 210 may determine that thedata portion is sensitive data.

The contextual analyzer 210, similar to the logical classifier 208, mayprovide a graphical interface, application programming interface, or mayaccept computer instructions to allow a user to provide specificinstructions regarding whether the contextual analyzer 210 shoulddetermine that a data portion is sensitive data based on the contents,type, relationship, metadata, and other characteristics of contextualdata that has been found for the data portion. The contextual analyzer210 subsequently applies these contextual rules to the data receivedfrom the input data sources 102A-N to determine whether a data portionis sensitive data. As an example of such contextual rules, thecontextual analyzer 210 may determine that a data portion that is anumber is a credit card number if it is in a table with other financialdata (such as bank information, data labeled “Financial,” and so on). Asanother example, the contextual analyzer 210 that a data portion is asocial security number if the contextual data that is in the samelogical storage location as the data portion includes an email address,name, or phone number. As yet another example, the contextual analyzer210 may determine that a data portion is a credit card number when itfinds contextual data, which has a relationship of being in a table thatis consecutively labeled from the table with the data portion, and whichindicates names of people (e.g., credit card holders). As anotherexample, the contextual analyzer 210 may determine that a five digitnumber is a zip code and is sensitive data if it finds city names incontextual data for that five digit number sequence.

The deep learning classifier 212 determines whether a data portion issensitive using a machine learning model. The deep learning classifier212 may employ one or more machine learning models, such as aconvolutional neural network, a recurrent neural network, a long termshort memory model, and other deep learning models to classify data assensitive or not sensitive. The deep learning classifier 212 may firstextract features from a data portion before feeding it into the machinelearning model. This may involve extracting bigram tokens from the dataportion. The extracted features are fed into the machine learning model,which outputs a prediction, e.g., a percentage value, indicating whetherthe data portion is likely to be sensitive data or not sensitive data.In the case of a percentage value, if the percentage exceeds athreshold, the deep learning classifier 212 may indicate that the dataportion is sensitive data. Otherwise, the data is not sensitive data.

In one embodiment, the deep learning classifier 212 receives as inputlarger sets of data, such as entire files, and determines whether suchlarger sets of data include sensitive information. The deep learningclassifier 212 may use techniques such as word frequency analysis,object or character recognition, and other means, to determine whetherthese larger sets of data include sensitive data. These larger sets ofdata may be specific to an organization, and the deep learningclassifier 212 may be trained specifically using data from theorganization.

The data security level classifier 214 optionally determines thesecurity level of data determined to be sensitive data based on a numberof security features that have been applied to the data. These securityfeatures can be generally categorized into 1) format protection, 2)access controls, 3) transmission controls, and 4) network securitylevel. Format protection refers to security protection applied directlyto the data, such as encryption, tokenization, obfuscation, or otherformat protection, with more and stronger format protections indicatinga higher level of security. Access controls refers to limitations onaccess to the data by users, with fewer number of users allowed toaccess the data indicating a higher level of security. Transmissioncontrols refers to whether the data is access via secure (e.g.,encrypted) or unsecure channels, with access restricted to securechannels indicating a higher level of security. Network security levelrefers to security features implemented in the network used to accessthe data, such as the use of virtual private networks, network securitypolicies, and so on. A higher network security level indicates a highersecurity level for the data.

The data security level classifier 214 indicates for each sensitive dataportion the current security level based on the number or type ofsecurity features that have been implemented. The data security levelclassifier 214 may also determine an expected security level based onuser configuration (e.g., as required by law). The data security levelclassifier 214 may further indicate the delta between the current andexpected security levels. This information may be transmitted to thedata classification reporting module 114 for reporting to the user.

In one embodiment, the security level of a data portion may be used, forexample, by the logical classifier 208, to determine whether the dataportion is sensitive data, as sensitive data may have higher securitylevels.

The significance factor calculator 216 assigns a significance factor tothe determinations made by the various components of the data classifier108. These components include the analyzers, matchers, and classifiersdescribed above (i.e., the metadata analyzer 202, the reference datamatcher 204, the pattern matcher 206, the logical classifier 208, thecontextual analyzer 210, and the deep learning classifier 212). Eachdetermination made by one of the components of the data classifier 108regarding whether a data portion is sensitive data is given asignificance factor. The significance factor may vary depending on thesensitive data type that is detected and the component that detects thesensitive data portion, and indicates a strength, i.e., accuracy, of thedetermination of sensitive data made by that component. The significancefactor may be proportional to the number of false positives that areexpected for the combination of data classifier 108 component andsensitive data type. For example, a zip code detected using the patternmatcher 206 based on a simple pattern of a 5 digit number may have alower significance factor than a zip code detected using the contextualanalyzer 210 based on surrounding contextual data indicating otheraddress components. The significance factor may be significantly lowerif the combination of data classifier 108 component and sensitive datatype yields false positives that are above a threshold, i.e., thecombination is not “discriminating.” These false positives may bedetermined experimentally using a test set of data for each combinationof sensitive data type and/or data classifier 108 component, and may beupdated periodically, thus updating the significance factorsperiodically as well. Alternatively, the significance factor forcombinations of sensitive data type and/or data classifier 108 componentmay be assigned by a user via a user interface.

The confidence value calculator 218 determines a confidence value foreach data portion that is scanned. The confidence value is determined bycombining the determinations (of sensitive or not sensitive data) madeby each of the data classifier 108 components (i.e., the analyzers,matchers, and classifiers) and associated significance factors to arriveat a confidence value. In one embodiment, each of the above componentsof the data classifier 108 determines whether a data portion issensitive or not sensitive only after the data portion is validated.This means that the data portion is first checked to see if it is of aright type and format for the data classifier 108 component to process.In such a case, a data portion that is processed by a data classifier108 component is given an initial confidence value that is determined bymultiplying a weight value, such as the significance factor determinedby the significance factor calculator 216 for that combination ofdetected sensitive data type and data classifier 108 component, and avalue derived from the ratio of a number of data portions that have beenprocessed by the components of the data classifier 108 to the number ofdata portions that have been validated. This initial confidence valuemay be “booted” by determinations from other data classifier 108components indicating that the data portion is a sensitive data. Theamount of boost may be related to the corresponding significance factorfrom the other data classifier 108 components, computed in the fashiondescribed above for the significance factor calculator 216. The resultis a final confidence score. Multiple initial confidence scores may becomputed for each data classifier 108 component for the same dataportion. Boost scores from other components may be added to each ofthese initial confidence scores, resulting in multiple final confidencescores. The highest final confidence score may then be associated withthe data portion, and may also be associated with other data which aregrouped together or have a relationship with the data portion (e.g.,data that is in the same column).

In another embodiment, when computing the confidence value, theconfidence value calculator 218 also considers the quality of the dataportion for which the confidence value is to be calculated, as well asthe uniqueness of that data portion. The quality of the data portion isdetermined by the confidence value calculator 218 according to how manydata portions were determined to be sensitive data by one of the variousrules of the components of the data classifier. If fewer than athreshold proportion (e.g. 5%) of data portions out of all data portionssampled were determined to be sensitive data, this may indicate a lackof substantial data to which a determination can be made with highconfidence, as typically a sensitive data portion should be accompaniedby other similar data portions of similar content and type. In such acase, the confidence value calculator 218 may assign a lower scoreproportional to the number of samples found. The confidence valuecalculator 218 may use a curve of an exponential growth model to adjustthe score, and may use the same curve for other data in the same dataportion.

In another embodiment, the confidence value is determined by adding allthe determinations of sensitive data made by the components of the dataclassifier 108 together as weighted by the respective significancefactors. The determination that data is sensitive may be a binaryoutcome, as may be the case when analyzing metadata, comparing toreference or patterns, using logical classifiers, and analyzing context.In these cases, a determination of no sensitive data may be given a lowvalue (e.g., 0.1) while a determination of sensitive data may be given ahigh value (e.g., 0.9). Alternatively, a determination of no sensitivedata is given a 0 value, with a determination of sensitive data given a1 value. Note that the output from the deep learning classifier 212 orthe data security level classifier 216 may be within a continuous rangeof values. These outputs may be normalized and used directly instead ofbeing converted as above for the binary values.

The confidence value calculator 218 may, after determining theconfidence value of a data portion, send this information to the dataclassification reporting module 114 for reporting to the user. In oneembodiment, if the confidence value exceeds a certain threshold (e.g.,50%), the corresponding data portion is determined to be sensitive data.Otherwise, the corresponding data portion is determined not to besensitive data. In another embodiment, the confidence value is only usedfor reference, and the determination of whether a data portion issensitive is made individually by each of the components of the dataclassifier 108.

As described with further detail below with reference to FIG. 3 , animportant factor in the determination of whether data is sensitive dataor not sensitive data involves periodically updating the determinationbased on user feedback and new data that is received. Furthermore, thedetermination may be customized for data that is unique to a particularorganization. This allows the sensitive data scanner 104 to be able toreduce false positives over time and increase accuracy for eachorganization's input data sources 102.

Example Classifier Refinement Engine

FIG. 3 is a diagram illustrating exemplary components of the classifierrefinement engine 110 of FIG. 1 , according to one embodiment. Althougha particular arrangement of elements is shown here, in other embodimentsthe arrangement of elements differs from that shown while achieving thesame effects. The elements shown in FIG. 3 may be implemented using acombination of hardware components, such as a processor, and softwareinstructions, stored on computer readable storage medium and executed bythe hardware components, which are described with further detail inreference to FIG. 13 .

As noted above, the data classifier 108 be periodically updated toprovide more accurate results, including more accurate determinations ofwhether a data portion is sensitive or not sensitive, and improvedconfidence value computations. This may be achieved with the classifierrefinement engine 110 described here. The illustrated classifierrefinement engine 110 includes a classifier accuracy tuner 302, asignificance factor tuner 304, a machine learning trainer 306, and adata context tuner 308.

The classifier accuracy tuner 302 tunes the accuracy of the basedetermination of whether a data portion is sensitive data for thecomponents of the data classifier 108 that output a binary determinationof whether data is sensitive data or not sensitive data. Thesecomponents may be the metadata analyzer 202, the reference data matcher204, the pattern matcher 206, the logical classifier 208, and thecontextual analyzer 210.

These components of the data classifier 108 may sometimes produce falsepositives (i.e., data indicated to be sensitive but not actuallysensitive) and false negatives (data that is actually sensitive but notindicated as such). To reduce the rates of false positives and falsenegatives, the classifier accuracy tuner 302 may prompt for or receiveuser feedback indicating whether reported sensitive data portions areactually sensitive data and whether data portions reported not to besensitive data are actually sensitive data. For (each) feedbackindicating that a determination of sensitive data was made incorrectly,the classifier accuracy tuner 302 analyzes the underlying data portionand the combination of components of the data classifier 108 that wereused to make the erroneous determination. The classifier accuracy tuner302 may determine which one of the components of the data classifier 108contributed most to the inaccurate determination. This may be thecomponent whose determination was weighted most heavily in thecomputation of the confidence value for the data portion. The classifieraccuracy tuner 302 may present to the user the process used by thatcomponent to make the determination. This process may include a rule,pattern, context, metadata, or other process used by that component. Theclassifier accuracy tuner 302 may allow the user to modify or removethat process in order to improve the determination made by thatcomponent. For example, the user may be able to modify the pattern usedto recognize sensitive data type to avoid a false positive.

The significance factor tuner 304 tunes the significance factors used tocompute the confidence value to improve the accuracy of the dataclassifier 108. As with the classifier accuracy tuner 302, a user of thesystem may be periodically solicited for feedback, or the user mayvoluntarily provide feedback at any time, regarding the accuracy of adetermination of sensitive data. This feedback may be categorized foreach sensitive data type, input data source, etc. The user may indicatethat the determination is accurate, or that it is inaccurate. The usermay further indicate that the determination is a false positive or afalse negative. After receiving a number of feedback results, thesignificance factor tuner 304 may adjust the significance factors usedby the data classifier 108 to compute the confidence values in order togenerate more accurate determinations. The significance factor tuner 304may model the accuracy of the determinations statistically, e.g., viaregression analysis, to determine the best weights for all the outputsfrom each data classifier 108 component which generates the mostaccurate confidence scores. As noted above, each component may make adetermination that a data portion is sensitive data, or that it is notsensitive data. These are combined with pre-computed significancefactors to generate the final confidence value for the data portion. Thesignificance factor tuner 304 may assign a numerical representation foreach determination of each component, as well as the actual correctdetermination as indicated by the user feedback, and perform thestatistical analysis on this data to determine a best fit of thedeterminations made by each component and the correct determination ofwhether the data is sensitive. By performing this fitting, thesignificance factor tuner 304 may be able to determine the percentageimpact that each component, for each sensitive data type (or othercategory), has in predicting an accurate determination of whether thedata is sensitive data. The significance factor tuner 304 may thenadjust the significance factors associated with component for thatsensitive data type based on the determined percentage impact. In oneembodiment, the significance factors may be adjusted in proportion tothe percentage impact.

In another embodiment, instead of automatically adjusting thesignificance factors, the significance factor tuner 304 may provide aninterface to the user to allow the user to adjust the significancefactors manually.

The machine learning trainer 306 trains the deep learning classifier212. The machine learning trainer 306 may receive a set of trainingdata. The training data includes multiple data portions which arelabeled as sensitive data or not sensitive data. The sensitive data typemay also be labeled. This training data may be received from the userand may be custom to the user's organization or may be a generic set oftraining data. The benefit of using custom data is that the data isspecific to the organization and the resulting trained machine learningmodel may generate fewer errors. A set of features may first beextracted from the training data. In cases where the training dataincludes text, the text may be converted into numerically meaningfuldata that can be used as features for the machine learning model of thedeep learning classifier 212. For example, the text may be convertedinto a bag of word model. Various machine learning models may be used,depending on effectiveness, such as a support vector machine, a naïveBayes classifier, or a neural network. Multiple machine learning modelsmay be trained on the training data and the one that produces the bestaccuracy for the selected training data may be selected. The trainedmachine learning model is tested against a validation data set, and ifthe accuracy exceeds a certain percentage, then the machine learningmodel is selected by the machine learning trainer 306 for use with thedeep learning classifier 212.

The data context tuner 308 automatically selects contextual data for adata portion, which may then be used by the contextual analyzer 210 todetermine if that data portion is sensitive data. The data context tuner308 may receive multiple sets of labeled training data. Each setincludes data portions that are labeled as sensitive data and those thatare labeled as not sensitive data. Each set of training dataadditionally includes different combinations of contextual data. Thetraining data may be sourced from data within the organization. The datacontext tuner 308 may extract features from the training data sets,similar to the method described above for the machine learning trainer306. The data context tuner 308 trains multiple machine learning modelsand/or statistical models to determine which sets of contextual data inwhich sets of training data best predict whether the data portion inquestion is sensitive data. The contextual data set of the training setthat best predicts, i.e., has the highest accuracy in determining,whether a data portion is sensitive or not may then be used by thecontextual analyzer 210 against unlabeled (live) data to determine ifthe data in the unlabeled data is sensitive or not sensitive. In anotherembodiment, a combination of the contextual data from the top performingmodels are used by the contextual analyzer 210. To use the contextualdata, the contextual analyzer 210 determines if the same or similarcontextual data with types matching the selected contextual data existsfor the data portion that is being analyzed. If so, the contextualanalyzer 210 may determine that the data portion is sensitive data.

Using the system described here, data that is potentially sensitive inan organization can be detected continuously over time, with thedetection becoming more accurate over time. The sensitive data that isfound is reported to the user in a user interface that indicates thesources, types, confidence value, locations, and other characteristicsof the detected sensitive data. The system may also automatically applyadditional security features to data that is detected to be sensitive.Such a system removes the need for significant manual intervention andanalysis of significant amounts of data, and such a system evolves asthe data for the organization changes. This can work to prevent securitybreaches of sensitive data caused by malicious hackers to theorganization.

Exemplary Flow

FIG. 4 is a flowchart illustrating a method of determining whether adata portion in a data source is sensitive data, according to anembodiment. Although certain steps are shown here, in other embodimentsthe order and operation of each step may differ while producing asimilar result. In one embodiment, the method shown here is performed bythe sensitive data scanner 104.

Initially, the sensitive data scanner 104 accesses 402 a data source.The data source comprises a plurality of data portions.

The sensitive data scanner 104 also accesses 404 a set of classificationrules. Each classification rule is configured to classify a data portionof the plurality of data portions as sensitive in response to the dataportion satisfying the classification rule. Each classification rule isfurther associated with a significance factor representative of anaccuracy of the classification rule in classifying data portions assensitive. In one embodiment, the classification rules include themethods performed by the various components of the data classifier 108as described above (i.e., the metadata analyzer 202, the reference datamatcher 204, the pattern matcher 206, the logical classifier 208, thecontextual analyzer 210, the deep learning classifier 212, and the datasecurity classifier 214).

For each of the set of classification rules, the sensitive data scanner104 applies 406 the classification rule to the data portion to obtain anoutput representative of whether the data portion is sensitive.

The sensitive data scanner 104 also weighs 408 the output from eachapplication of a classification rule by the significance factorassociated with the classification rule to produce a set of weightedoutputs.

The sensitive data scanner 104 determines 410 if a data portion issensitive by aggregating the weighted outputs from applying theclassification rules.

In response to determining that the data portion is a sensitive dataportion, the sensitive data scanner 104 performs 412 one or moresecurity operations on the data portion to reduce a security risk of thedata portion.

Exemplary UI

The following FIGS. 5-13 illustrate exemplary user interfaces (UIs)which may be presented by the data classification reporting module 114to report the results of the determination of sensitive data that aremade by the data classifier 108. These UI's may be implemented usingcomputer executable code (e.g., HTML, CSS, JavaScript) that istransmitted by the data classification reporting module 114 to a user'sclient device for execution by the web browser of the user's clientdevice.

FIG. 5 illustrates an exemplary UI of a primary reporting pageindicating where sensitive data is in an organization's data sources,according to an embodiment. In the exemplary UI, the data classificationreporting module 114 presents a count of the detected sensitive data inthe sensitive data types view 502. The counts presented by the dataclassification reporting module 114 may represent each detection of adata portions that are sensitive data, or may represent detections ofsensitive data types per subsection of the input data source.

The data classification reporting module 114 also presents an input datasources view 504 indicating the number of input data sources that havebeen processed or sampled. Those input data sources that had moredetections of sensitive data may be shown to be larger in size in theUI, and those that had less detections of sensitive data are of smallersize. Each input data source may also be shown with an indication of thenumber of data portions detected in that input data source.

The data classification reporting module 114 also presents within the UIa timeline 506 indicating a number of detections of sensitive data overtime. As shown in the example UI, detections increase at the time pointlabeled June. This may assist a user in understanding how much sensitivedata is being entered into the input data sources of the organization.

The data classification reporting module 114 also presents the metrics508. These may indicate a count of the number of detections of sensitivedata types per subsection of the input data source, a total number ofdata portions that were detected as sensitive, an estimate of the totalnumber of sensitive data portions in the set of input data sources, anda number of mitigated instances of sensitive data. The estimate of thetotal number of sensitive data portions may be based on an extrapolationof the portion of the input data sources that have been scanned and thenumber of detections of sensitive data detected in that portion. Thisportion may be a random sampling of the data in the input data sources.The mitigated instances of sensitive data may indicate a count ofsensitive data types per subsection of the input data source that havehad security features applied so that they are not in plaintext or otherunsecured format. These security features may be applied, for example,by the data protect module 112.

FIG. 6 illustrates an exemplary UI of a primary reporting pageindicating where sensitive data is in an organization's data sourceslisted by subsystem, according to an embodiment. In contrast to FIG. 5which had an input data sources view 504 grouped by major systems, e.g.,servers, server clusters, databases, FIG. 6 illustrates a subsystem view602 that presents the input data sources by subsystem, e.g., byindividual files, database tables, etc.

FIG. 7 illustrates an exemplary UI of an alternative reporting pageindicating where sensitive data is in an organization's data sources,according to an embodiment. This exemplary UI may also be presented bythe data classification reporting module 114.

Here, the data classification reporting module 114 presents a sensitivedata portions view 702, which categorizes the detected sensitive data bybroad categories, including personally identifiable information (PII),personal credit information (PCI), personal health information (PHI),private date under European Union law (represented by the 12 stars), andso on. The counts in the sensitive data portions view 702 may indicatethe total number of data portions that were detected to be sensitivedata.

The data classification reporting module 114 also presents an input datasources plot 704. Instead of representing the input data sources ascircles as in FIGS. 5 and 6 , here the input data sources arerepresented in a bar graph, with each bar representing an input datasource. Each group of bars represents a particular broad grouping ofsensitive data, such as those described above with reference to thesensitive data portions view 702. This may help to visualize which datasources include the majority of which type of sensitive data.

The data classification reporting module 114 also presents a networkview 706 illustrating in a network topography where the detectedsensitive data is physically stored on the network. This information maybe determined based on the network addresses of the input data sources.Each data source that has sensitive data has an adjacent indication inthe network view 706 indicating the number of detections in that datasource.

The data classification reporting module 114 also presents metrics 708.These are similar to the metrics 508, and indicate various gatheredstatistics about the sensitive data in the organization, including anumber of sensitive data fields, which may indicate a number of databasefields in the input data sources that include sensitive data.

FIG. 8 illustrates an exemplary UI of a sensitive data list view,according to an embodiment. This exemplary UI may also be presented bythe data classification reporting module 114.

Upon selecting one of the items in the primary reporting page shown inFIGS. 5-7 , the data classification reporting module 114 may show asecondary page that drills down into the selected option, such as theone shown here. In the example, the user may have selected the sensitivedata type of address in the sensitive data types view 502. This maycause the data classification reporting module 114 to display thesensitive data list view shown here, and to check the box labeled“address” in the search filters 810 in order to filter by sensitive datatypes of the address type. Note that the user is free to check any ofthe other boxes in the search filters 810 to further filter the listeddata. Additionally, the search filters 810 includes a slider UI labeledconfidence score. This slider hides those detected data portions thathave a confidence value below a threshold indicated by the slider.

The data classification reporting module 114 displays a coordinateidentifier 802, a sensitive data type classification 804, a confidencevalue 806, and various metrics 808 in each row of the sensitive datalist. The coordinate identifier 802 may uniquely identify the subsectionof the input data sources at which sensitive data was detected by thedata classifier 108 as well as the type of sensitive data that wasdetected there. The subsection may be indicated by the name of thelocation at which it is stored as well as the label for the subsection.For example, it may be the name of a database table.

The sensitive data type classification 804 entry indicates the type ofsensitive data that was detected. Note that a subsection (e.g., a table)of the input data sources may store multiple sensitive data types. Theconfidence value 806 indicates the confidence of the system indetermining whether the data is sensitive data of the indicatedsensitive data type. Finally, the metrics 808 indicate an observed andestimated count of the data portions in the subsection that aresensitive data and of the sensitive data type indicated in the sensitivedata type classification 804 column.

FIG. 9 illustrates an exemplary UI of a drill down view of the sensitivedata list view of FIG. 8 , according to an embodiment. This exemplary UImay also be presented by the data classification reporting module 114.

A user may interact with any of the row element in the sensitive datalist view, which cause the data classification reporting module 114 todisplay a drill down view of the item that was interacted with. In thiscase, the first row was interacted with, and an additional drill downview is presented. In the drill down view, the data classificationreporting module 114 presents the actual storage location 902 where thesensitive data associated with the interacted row is stored. The dataclassification reporting module 114 also indicates the classifiercomponents 904 (e.g., metadata analyzer 202, reference data matcher204), and so on, which were used to scan the sensitive data. Here, thepattern matcher 206 and the reference data matcher 204 were used todetermine that the data is sensitive and that it is of an email type.The specific pattern, matching rule, and so on are shown under the“Details” column in the drill down view. The data classificationreporting module 114 may present UI options to allow a user to edit thepatterns, rules and other configuration options for each component.Further, the user may be able to indicate if the detection was a successor if it was a false positive or false negative. The data classificationreporting module 114 also displays the significance factors 906 assignedto each of the components. These may be used to compute the finalconfidence value described above with reference to FIG. 8 .

FIG. 10 illustrates an exemplary UI of a different drill down view ofthe sensitive data list view of FIG. 8 with different classifiercomponents, according to an embodiment. This exemplary UI may also bepresented by the data classification reporting module 114. Here,different classifier components 1002 are shown for a differentcoordinate identifier. Additionally, the data classification reportingmodule 114 presents the related data 1004, which may be contextual datathat is related to the data indicated in the first line of the drilldown view.

FIG. 11 illustrates an exemplary UI of a further drill down view of thesensitive data list view of FIG. 8 with entries that have low confidencevalues, according to an embodiment. This exemplary UI may also bepresented by the data classification reporting module 114. Here the dataclassification reporting module 114 presents confidence values 1102which are of a lower score. These may be below the threshold necessaryto trigger a detection of sensitive data.

FIG. 12 illustrates an exemplary UI of a different section of thesensitive data list view of FIG. 8 with contextual data, according to anembodiment. This exemplary UI may also be presented by the dataclassification reporting module 114. Here, the data classificationreporting module 114 presents contextual data 1202. The entries shownhere may be different columns of a single database table. While the dataclassifier 108 may determine that the first entry is a credit cardnumber, the significance factor may be low for the detection. However,upon determining that the same table has a column with names, as shownin the second entry, the final confidence value for the detection of thecredit card number may be greatly increased because the significancefactor of the detection based on the contextual data match is high, thusincreasing the combined confidence value.

Example Machine Architecture

FIG. 13 is a block diagram illustrating components of an example machineable to read instructions from a machine-readable medium and executethem in one or more processors (or controllers), according to anembodiment. Portions, or all, of the example machine described in FIG.13 can be used with the components described above with reference toFIGS. 1-3 . For example, the example machine may be used to execute thedata classifier 108.

In FIG. 13 there is a diagrammatic representation of a machine in theexample form of a computer system 1300. The computer system 1300 can beused to execute instructions 1324 (e.g., program code or software) forcausing the machine to perform any one or more of the methodologies (orprocesses) described herein. In alternative embodiments, the machineoperates as a standalone device or a connected (e.g., networked) devicethat connects to other machines. In a networked deployment, the machinemay operate in the capacity of a server machine or a client machine in aserver-client network environment, or as a peer machine in apeer-to-peer (or distributed) network environment.

The architecture described may be applicable to other computer systemsthat operate in the systems described above, such as a server computer,a client computer, a personal computer (PC), a tablet PC, a smartphone,an internet of things (IoT) appliance, a network router, switch orbridge, or any machine capable of executing instructions 1324(sequential or otherwise) that specify actions to be taken by thatmachine. Further, while only a single machine is illustrated, the term“machine” shall also be taken to include any collection of machines thatindividually or jointly execute instructions 1324 to perform any one ormore of the methodologies discussed herein.

The example computer system 1300 includes one or more processing units(generally processor 1302). The processor 1302 is, for example, acentral processing unit (CPU), a graphics processing unit (GPU), adigital signal processor (DSP), a controller, a state machine, one ormore application specific integrated circuits (ASICs), one or moreradio-frequency integrated circuits (RFICs), or any combination ofthese. The computer system 1300 also includes a main memory 1304. Thecomputer system may include a storage unit 1316. The processor 1302,memory 1304 and the storage unit 1316 communicate via a bus 1308.

In addition, the computer system 1306 can include a static memory 1306,a display driver 1310 (e.g., to drive a plasma display panel (PDP), aliquid crystal display (LCD), or a projector). The computer system 1300may also include input/output devices, e.g., an alphanumeric inputdevice 1312 (e.g., a keyboard), a dimensional (e.g., 2-D or 3-D) controldevice 1314 (e.g., a mouse, a trackball, a joystick, a motion sensor, orother pointing instrument), a signal generation device 1318 (e.g., aspeaker), and a network interface device 1320, which also are configuredto communicate via the bus 1308.

The storage unit 1316 includes a machine-readable medium 1322 on whichis stored instructions 1324 (e.g., software) embodying any one or moreof the methodologies or functions described herein. The instructions1324 may also reside, completely or at least partially, within the mainmemory 1304 or within the processor 1302 (e.g., within a processor'scache memory) during execution thereof by the computer system 1300, themain memory 1304 and the processor 1302 also constitutingmachine-readable media. The instructions 1324 may be transmitted orreceived over a network 1326 via the network interface device 1320.

While machine-readable medium 1322 is shown in an example embodiment tobe a single medium, the term “machine-readable medium” should be takento include a single medium or multiple media (e.g., a centralized ordistributed database, or associated caches and servers) able to storethe instructions 1324. The term “machine-readable medium” shall also betaken to include any medium that is capable of storing instructions 1324for execution by the machine and that cause the machine to perform anyone or more of the methodologies disclosed herein. The term“machine-readable medium” includes, but not be limited to, datarepositories in the form of solid-state memories, optical media, andmagnetic media.

Additional Considerations

Certain embodiments are described herein as including logic or a numberof components, modules, or mechanisms, for example, as illustrated inFIGS. 1-3 . Modules may constitute either software modules (e.g., codeembodied on a machine-readable medium or in a transmission signal) orhardware modules. A hardware module is tangible unit capable ofperforming certain operations and may be configured or arranged in acertain manner. In example embodiments, one or more computer systems(e.g., a standalone, client or server computer system) or one or morehardware modules of a computer system (e.g., a processor or a group ofprocessors) may be configured by software (e.g., an application orapplication portion) as a hardware module that operates to performcertain operations as described herein.

The performance of certain of the operations may be distributed amongthe one or more processors, not only residing within a single machine,but deployed across a number of machines. In some example embodiments,the one or more processors or processor-implemented modules may belocated in a single geographic location (e.g., within a homeenvironment, an office environment, or a server farm). In other exampleembodiments, the one or more processors or processor-implemented modulesmay be distributed across a number of geographic locations.

Unless specifically stated otherwise, discussions herein using wordssuch as “processing,” “computing,” “calculating,” “determining,”“presenting,” “displaying,” or the like may refer to actions orprocesses of a machine (e.g., a computer) that manipulates or transformsdata represented as physical (e.g., electronic, magnetic, or optical)quantities within one or more memories (e.g., volatile memory,non-volatile memory, or a combination thereof), registers, or othermachine components that receive, store, transmit, or displayinformation.

Some embodiments may be described using the expression “coupled” and“connected” along with their derivatives. For example, some embodimentsmay be described using the term “coupled” to indicate that two or moreelements are in direct physical or electrical contact. The term“coupled,” however, may also mean that two or more elements are not indirect contact with each other, but yet still co-operate or interactwith each other. The embodiments are not limited in this context.Further, unless expressly stated to the contrary, “or” refers to aninclusive or and not to an exclusive or.

Upon reading this disclosure, those of skill in the art will appreciatestill additional alternative structural and functional designs for asystem and a process for scanning for sensitive data through thedisclosed principles herein. Thus, while particular embodiments andapplications have been illustrated and described, it is to be understoodthat the disclosed embodiments are not limited to the preciseconstruction and components disclosed herein. Various apparentmodifications, changes and variations may be made in the arrangement,operation and details of the method and apparatus disclosed hereinwithout departing from the spirit and scope defined in the appendedclaims.

What is claimed is:
 1. A gateway device, comprising: a network interfacecommunicatively coupled with a plurality of data sources; a hardwareprocessor; and a non-transitory computer readable storage medium storingcomputer readable instructions, that when executed by the hardwareprocessor, cause the hardware processor to: access data from one or moreof the plurality of data sources, the accessed data comprising aplurality of data portions; access a set of classification rules, eachof the set of classification rules configured to classify a data portionof the plurality of data portions as sensitive data, each classificationassociated with a weight, and wherein one or more of the classificationrules are tuned using a classification tuner configured to identify acomponent that contributed most to false positive classifications ofsensitive data, to present the identified component to a user, and toallow the user to manually reduce a significance of the identifiedcomponent in future classifications; determine if the data portion issensitive by aggregating the weights associated with eachclassification; and in response to a selection of a security operationpresented to a user via a security user interface responsive todetermining that the data portion is sensitive, perform the securityoperation to reduce a security risk associated with the data portion. 2.The device of claim 1, wherein a data portion is at least one of: a cellin a table, a non-delimited string of characters, and a file.
 3. Thedevice of claim 1, wherein sensitive data is at least one of: an addresscomponent, a date of birth, a telephone number, an email address, asocial security number, a financial account number, a password, and ausername.
 4. The device of claim 1, wherein a classification rule of theset of classification rules is satisfied when the data portion matches apre-defined pattern associated with the classification rule.
 5. Thedevice of claim 1, wherein a classification rule of the set ofclassification rules is satisfied when a data parsing rule associatedwith the classification rule is applied to the data portion and returnsa true value.
 6. The device of claim 1, wherein a classification rule ofthe set of classification rules is satisfied when a contextual datarequirement specified by the classification rule is satisfied by one orboth of the data portion and associated data sources of the plurality ofdata sources.
 7. The device of claim 1, wherein a classification rule ofthe set of classification rules is satisfied when the data portionmatches an entry in a reference table specified by the classificationrule.
 8. The device of claim 1, wherein a classification rule of the setof classification rules is satisfied when a trained machine learningmodel associated with the classification rule returns a score for thedata portion beyond a threshold value, the score computed by the machinelearning model based on one or more features extracted from the dataportion and use as input for the machine learning model.
 9. The deviceof claim 1, wherein the selected security operation includes at leastone of encryption, tokenization, and obfuscation, and wherein theselected security operation is performed based on a desired securitylevel for the data portion.
 10. The device of claim 1, wherein theexpected rate of false positives associated with a classification ruleis determined by applying the classification rule to a training dataset.
 11. A computer-implemented method, comprising: access data from oneor more of the plurality of data sources, the accessed data comprising aplurality of data portions; access a set of classification rules, eachof the set of classification rules configured to classify a data portionof the plurality of data portions as sensitive data, each classificationassociated with a weight, and wherein one or more of the classificationrules are tuned using a classification tuner configured to identify acomponent that contributed most to false positive classifications ofsensitive data, to present the identified component to a user, and toallow the user to manually reduce a significance of the identifiedcomponent in future classifications; determine if the data portion issensitive by aggregating the weights associated with eachclassification; and in response to a selection of a security operationpresented to a user via a security user interface responsive todetermining that the data portion is sensitive, perform the securityoperation to reduce a security risk associated with the data portion.12. The method of claim 11, wherein a data portion is at least one of: acell in a table, a non-delimited string of characters, and a file. 13.The method of claim 11, wherein sensitive data is at least one of: anaddress component, a date of birth, a telephone number, an emailaddress, a social security number, a financial account number, apassword, and a username.
 14. The method of claim 11, wherein aclassification rule of the set of classification rules is satisfied whenthe data portion matches a pre-defined pattern associated with theclassification rule.
 15. The method of claim 11, wherein aclassification rule of the set of classification rules is satisfied whena data parsing rule associated with the classification rule is appliedto the data portion and returns a true value.
 16. The method of claim11, wherein a classification rule of the set of classification rules issatisfied when a contextual data requirement specified by theclassification rule is satisfied by one or both of the data portion andassociated data sources of the plurality of data sources.
 17. The methodof claim 11, wherein a classification rule of the set of classificationrules is satisfied when the data portion matches an entry in a referencetable specified by the classification rule.
 18. The method of claim 11,wherein a classification rule of the set of classification rules issatisfied when a trained machine learning model associated with theclassification rule returns a score for the data portion beyond athreshold value, the score computed by the machine learning model basedon one or more features extracted from the data portion and used asinput for the machine learning model.
 19. The method of claim 11,wherein the selected security operation includes at least one ofencryption, tokenization, and obfuscation, and wherein the selectedsecurity operation is performed based on a desired security level forthe data portion.
 20. The method of claim 11, wherein the expected rateof false positives associated with a classification rule is determinedby applying the classification rule to a training data set.